The Network and Information Systems (NIS) Regulations 2018 are the UK's principal cyber security regulations for critical infrastructure and key digital services. They impose mandatory security duties and incident reporting obligations on two categories of organisation: operators of essential services (OES) in sectors such as energy, transport, health, water, and digital infrastructure; and relevant digital service providers (RDSPs) offering online marketplaces, online search engines, or cloud computing services.

The 2022 amendment brought managed service providers (MSPs) into scope and strengthened competent authority powers. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, will further expand the regulations to cover data centres, additional digital services, and critical suppliers in supply chains.

If your business provides essential services or in-scope digital services in the UK, non-compliance can result in penalties of up to £17 million. A single cyber incident could also trigger parallel enforcement under UK GDPR if personal data is compromised, with a separate maximum penalty of £17.5 million or 4% of global turnover.

Who must comply

Operators of essential services (OES) are organisations in five sectors whose network and information systems support the delivery of essential services:

Energy: Electricity generators, distributors, and suppliers; gas distribution and supply; oil pipeline operators (regulated by Ofgem)
Transport: Air carriers, airport operators, rail operators, port authorities, inland waterway operators (regulated by Department for Transport)
Health: NHS trusts, foundation trusts, and health bodies providing healthcare (regulated by Department of Health and Social Care)
Drinking water: Water suppliers and distributors (regulated by Defra / Environment Agency)
Digital infrastructure: Internet exchange point operators, DNS service providers, top-level domain name registries (regulated by Ofcom)

OES in the energy and digital infrastructure sectors are automatically designated. OES in transport, health, and water must receive a written designation notice from their competent authority.

Relevant digital service providers (RDSPs) include businesses providing:

Online marketplaces: Platforms enabling businesses and consumers to conclude contracts online (e.g. e-commerce platforms, app stores)
Online search engines: Services enabling keyword-based searches of websites
Cloud computing services: On-demand network access to shared computing resources (IaaS, PaaS, SaaS)

NIS Regulations applicability thresholds

Who must comply with NIS Regulations 2018 - operators of essential services (OES) and relevant digital service providers (RDSP).

The Network and Information Systems (NIS) Regulations 2018 apply to operators of essential services (OES) and relevant digital service providers (RDSP).

Small business exemption: Organisations with fewer than 50 employees AND turnover/balance sheet below €10 million are exempt from RDSP obligations
OES sectors: Energy, transport, water, health, digital infrastructure
RDSP services: Online marketplaces, online search engines, cloud computing
Group assessment: If part of larger group, assess group numbers not subsidiary alone
Incident notification: Within 72 hours of discovery
Regulator: Sector-specific Competent Authorities (e.g., Ofgem for energy, ICO for digital services)
NCSC role: UK's single point of contact (SPOC) and computer security incident response team (CSIRT)

Security framework: NCSC Cyber Assessment Framework (CAF) - 14 core principles
OES obligations: Manage risks, prevent incidents, notify Competent Authority of incidents
RDSP obligations: Appropriate security measures, incident notification, comply with CA requests
Penalty maximum: £17 million for most serious breaches

NIS Regulations guidance

Security requirements

Both OES and RDSPs must take appropriate and proportionate technical and organisational measures to manage security risks to the network and information systems on which their services depend. In practice, this means:

Risk management: Identify and assess cyber risks to the systems supporting your essential or digital service, with regular reviews as threats evolve
Protective measures: Implement technical controls proportionate to the risks identified, including access control, encryption, vulnerability management, and network segmentation
Detection: Deploy monitoring and detection capabilities to identify potential security events and anomalous activity
Business continuity: Maintain tested incident response and disaster recovery plans to minimise service disruption
Supply chain security: Assess and manage security risks from third-party suppliers and service providers

OES are assessed against the NCSC Cyber Assessment Framework (CAF), which sets out 14 principles across four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of incidents. RDSPs must follow ICO guidance and may align to standards such as ISO 27001 or NCSC Cyber Essentials.

NIS Regulations incident notification requirements

Incident notification requirements under NIS Regulations 2018, including 72-hour timeline, notification paths by sector, and relationship with GDPR breach notification.

Under the Network and Information Systems (NIS) Regulations 2018, operators of essential services (OES) and relevant digital service providers (RDSP) must notify their competent authority of incidents that have a significant impact on the continuity or security of their services.

Notification deadline: Within 72 hours of becoming aware of the incident
Threshold for reporting (OES): Incident has significant impact on continuity of essential service
Threshold for reporting (RDSP): Incident has substantial impact on provision of digital service
OES notify: Energy sector: Ofgem
OES notify: Transport sector: Department for Transport
OES notify: Health sector: Department of Health and Social Care
OES notify: Water sector: Defra (Environment Agency in practice)
OES notify: Digital infrastructure: Ofcom
RDSP notify: All digital services: Information Commissioner's Office (ICO)

Initial notification must include: Nature of incident, affected systems, estimated impact, initial containment measures
Follow-up report required: Full details within reasonable time after incident resolved
NCSC role: UK's Computer Security Incident Response Team (CSIRT) - technical support and coordination
Voluntary notification: Can notify NCSC of incidents below threshold for advice and support

Relationship with GDPR breach notification

Separate obligations apply: NIS incident notification does not replace GDPR data breach notification. If an incident involves personal data, you may need to:

Notify your NIS competent authority (within 72 hours)
Notify the ICO under GDPR (within 72 hours) if personal data at risk
Notify affected individuals under GDPR (without undue delay) if high risk

Both notification regimes have a 72-hour deadline but are triggered by different criteria and go to different authorities (except for RDSPs where ICO handles both).

NIS penalty maximum: Up to £17 million for most serious breaches
GDPR penalty maximum: Up to £17.5 million or 4% of turnover (separate from NIS)
Failure to notify (NIS): Enforcement action by competent authority, potential fine

NIS Regulations guidance

NIS Regulations penalties

Penalty framework under the Network and Information Systems Regulations 2018, including maximum fines, penalty tiers by infringement type, regulator enforcement powers, and relationship with GDPR penalties.

The Network and Information Systems (NIS) Regulations 2018 give competent authorities powers to impose significant penalties on operators of essential services (OES) and relevant digital service providers (RDSP) who fail to comply with security and incident notification requirements.

Maximum penalty: £17 million
Penalty applies to: Most serious breaches where material deficiencies have been identified
Penalty range: Penalties can range from warning notices to the £17 million maximum depending on severity
Penalty structure: No formal tiers - penalties determined by competent authority based on circumstances

Factors considered: Impact severity: Scale, duration, and geographic scope of the incident or deficiency
Factors considered: Number affected: Number of users, businesses, or critical services impacted
Factors considered: Economic damage: Financial losses to affected parties and wider economy
Factors considered: Degree of negligence: Whether operator took reasonable security measures and responded appropriately
Factors considered: History: Previous contraventions, warnings, or enforcement action
Factors considered: Cooperation: Level of cooperation with competent authority during investigation

Enforcement powers by sector

Each sector has a designated competent authority with enforcement powers:

Energy sector enforcer: Ofgem
Transport sector enforcer: Department for Transport
Health sector enforcer: Department of Health and Social Care
Water sector enforcer: Defra (Environment Agency in practice)
Digital infrastructure enforcer: Ofcom
Digital service providers enforcer: Information Commissioner's Office (ICO)

Enforcement powers

Competent authorities can take the following enforcement actions:

Information notices - require information about security measures and incidents
Inspection - conduct audits and inspections of security arrangements
Enforcement notices - require specific actions to remedy deficiencies
Penalty notices - impose financial penalties up to £17 million
Directions - require specific security measures or operational changes

Relationship with GDPR penalties

Penalties can be cumulative: NIS and GDPR are separate regulatory regimes with distinct penalty frameworks:

NIS maximum penalty: £17 million
UK GDPR maximum penalty (higher tier): £17.5 million or 4% of global annual turnover, whichever is higher
UK GDPR maximum penalty (standard): £8.7 million or 2% of global annual turnover
Same incident, both regimes: A single cyber incident could trigger enforcement under both NIS and GDPR if it involves personal data
Double jeopardy protection: None - separate legal bases allow separate penalties for same incident
ICO role (RDSPs): ICO is competent authority for both NIS (digital services) and GDPR, may coordinate enforcement

UK enforcement to date

Competent authorities have primarily used enforcement notices and warnings rather than maximum penalties. Focus has been on improving security posture through:

Security assessments using NCSC Cyber Assessment Framework (CAF)
Improvement plans with defined timescales
Follow-up inspections to verify compliance
Escalation to penalties only for persistent non-compliance

NIS Regulations guidance

Maximum penalty: £17 million for the most serious breaches
Incident notification deadline: Within 72 hours of becoming aware of a significant incident
Small business exemption (RDSP only): Organisations with fewer than 50 employees AND turnover/balance sheet below EUR 10 million are exempt
OES sectors: Energy, transport, health, drinking water, digital infrastructure
RDSP services in scope: Online marketplaces, online search engines, cloud computing services
Security framework (OES): NCSC Cyber Assessment Framework (CAF) — 14 principles across 4 objectives
ICO NIS registration fee: No separate NIS registration fee — RDSPs must register with ICO

ℹ️ Cyber Security and Resilience Bill (2025) will expand scope

1. Determine whether your business is in scope

Assess whether you are an operator of essential services (check against Schedule 2 sectors and designation criteria) or a relevant digital service provider (online marketplace, search engine, or cloud computing with 50+ employees and turnover above EUR 10 million). If part of a larger group, assess against group numbers, not your subsidiary alone.
2. Register with your competent authority

RDSPs must register with the ICO. OES are either automatically designated (energy, digital infrastructure) or designated by notice from their sector competent authority. If you believe you should be designated, contact the relevant authority proactively.
3. Conduct a baseline security assessment

For OES, self-assess against the NCSC Cyber Assessment Framework (CAF) 14 principles. For RDSPs, assess against ICO NIS guidance and consider alignment to ISO 27001 or Cyber Essentials Plus. Identify gaps between your current security posture and the required standard.
4. Implement proportionate security measures

Address gaps identified in your assessment. Prioritise controls covering access management, vulnerability management, network monitoring, data protection, and supply chain security. Document all measures and the rationale for their proportionality.
5. Establish incident detection and response procedures

Deploy monitoring tools to detect security events. Create an incident response plan with clear roles, escalation paths, and communication templates. Test the plan through regular exercises (at least annually).
6. Set up incident reporting processes

Create a notification procedure to report significant incidents to your competent authority within 72 hours. Prepare template notifications covering the required information — nature of incident, affected systems, estimated impact, and initial containment measures. If personal data is involved, you may also need to notify the ICO separately under UK GDPR.
7. Manage supply chain security

Assess the security practices of your critical suppliers and service providers. Include security requirements in contracts and conduct periodic reviews. The forthcoming Cyber Security and Resilience Bill will strengthen supply chain duties.
8. Document and maintain evidence of compliance

Keep records of risk assessments, security measures implemented, incident response tests, and any incidents reported. Competent authorities can request evidence during inspections or investigations. Review and update documentation at least annually.

NIS Regulations guidance and resources

Official guidance from UK government, ICO, and NCSC on NIS compliance.

The NIS Regulations 2018 — GOV.UK collection
Government collection of NIS policy, legislation, competent authority guidance, and NCSC Cyber Assessment Framework references.
GOV.UK
Cyber Security and Resilience Bill — GOV.UK
Factsheets and impact assessments for the Bill expanding NIS scope to managed service providers and data centres.
GOV.UK
NIS Regulations 2018 (full text)
Full text of the Network and Information Systems Regulations 2018 as amended.
legislation.gov.uk
Cyber Essentials scheme overview
Government-backed cyber security certification scheme — baseline standard referenced by NIS guidance.
GOV.UK
NIS post-implementation review
Government review of NIS effectiveness including competent authority feedback and scope recommendations.
GOV.UK

NIS Regulations guidance on GOV.UK

Business Context Testing

Content Graph

Guvnor

Network and Information Systems (NIS) Regulations

Who must comply

Security requirements

ℹ️ Cyber Security and Resilience Bill (2025) will expand scope

1. Determine whether your business is in scope

2. Register with your competent authority

3. Conduct a baseline security assessment

4. Implement proportionate security measures

5. Establish incident detection and response procedures

6. Set up incident reporting processes

7. Manage supply chain security

8. Document and maintain evidence of compliance

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

Who must comply

Security requirements

ℹ️ Cyber Security and Resilience Bill (2025) will expand scope

1. Determine whether your business is in scope

2. Register with your competent authority

3. Conduct a baseline security assessment

4. Implement proportionate security measures

5. Establish incident detection and response procedures

6. Set up incident reporting processes

7. Manage supply chain security

8. Document and maintain evidence of compliance

Related guides in Digital & Technology

Business Context Testing

Content Graph